Removing Malware From Your Computer

After working with quite a few people to clear their computers of ZeroAccess, FBI MoneyPak, Rootkit.Boot.Harbinger and other pieces of malware, I have developed a two step routine to disinfecting and attempting to repair the wake these leave behind on Windows computers. Your best bet is proactively creating a CD-R disc or a USB flash drive of all the clean-up tools you will need and keeping it in a safe place with your Operating System disc. Trying to download software while infected can be frustrating or near impossible and may require a second computer just to avoid all the freezing, pop-ups, crashes, or getting re-directed to random websites with even more viruses. Also with external USB hard drives being so cheap nowadays, there is no excuse to not backup your files on a regular basis. You never know when a virus will hide, delete, or hold your important files for ransom, or corrupt an application which may require the original installation CD and the serial # key for re-installation.

Disinfection

 

I’ve read many websites regarding cleaning up viruses, trojans, worms, backdoors, adware, spyware and each website has their own routine. As an IT professional the following is what has worked for me time and time again. If your computer is already infected and you are having problems trying to download my suggested software, trying a different web browser if you have others installed on your computer may help, i.e. instead of Internet Explorer see if you have Google Chrome, Mozilla Firefox, or Apple Safari installed and try the download links there. Read this whole article because depending on how infected your computer is, my last suggestion may be the one that saves you when all else fails. Here are the steps and software links I use:

  1.  CleanUp! If possible, run this first to clean up temporary files applications leave behind, and also cookies from web browsers. This will speed up the virus scan process since it won’t have to go through all those extra files. After installation I go into the Options and uncheck Enable sounds. If you don’t have anything important in the Recycle Bin leave that checked, click OK and then the CleanUp! button. This is a free download but if you find the software useful you have the option of donating.
  2. Start the computer into Safe Mode with Networking by first going to Start –> Shutdown, or pressing Ctrl + Alt + Del and in the bottom right-hand corner pressing the white arrow on the red button and selecting Shutdown. If that doesn’t work, forcefully shutdown the computer by holding the computer power button in for 10-15 seconds and eventually it should power off. At that point touch the F8 key at the top of the keyboard and turn your computer back on. Immediately start pressing the F8 key once every second. When the black background with white menu options are on the screen, use the up and down arrows on the keyboard to select Safe Mode with Networking and press Enter. (The Networking option allows the computer to still connect to the Internet in this Safe Mode) If this menu doesn’t appear Windows boots up you were too slow and need to try it again. Laptops on docking stations sometimes need to be taken off the docking station for this to work.
  3. Malwarebytes Free During the installation I usually uncheck the  Premium trial and go with running and updating the free version. However you have the option to evaluate the premium edition and after a period of time it will expire and you can purchase a subscription to the Premium product. After installation be sure to the Update tab and click Check for Updates. Then start a Full Scan on the C:\ drive and any other re-writable storage media such as a USB flash drive. Also if your computer comes with a separate recovery partition I’d scan that too (sometimes D:\ so double check all the drives you have in Computer) I’ve seen Full Scans take 30-60+ minutes and sometimes longer depending on the speed of the computer and the amount of files. Once the scan is finished go to Show Results.  After looking over the list of objects it detected I usually right-click the list and select Check All Items, and then press the Remove Selected button. At that point it will open up a text log file and offer to reboot the computer back into the regular Windows mode so accept that.
  4. TDSSKiller Download the TDSSKiller.exe file under 1. How to disinfect a compromised system. Run TDSSKiller, accept the agreement and click Start Scan. If it finds anything I usually stick with the default selection, which can be quarantine, or skip. If it finds malware it will take the appropriate action and prompt to restart the computer
  5. ComboFix If at this point the computer is back in working order I would skip down to the Repair section. ComboFix does a good job of getting rid of what the other methods miss, however it is an aggressive scanner that in my experience can disconnect a remote assistance case using GoToAssist, and I’ve also seen it disable a software program called RateWatch requiring re-installation. If possible first disable any anti-virus software you have, otherwise ComboFix may warn you before first starting. You can accept this warning and continue anyways. It will go through 50 phases which can take 10+ minutes and then generate a text file. At that point you can restart the computer.
  6. If all else failsKaspersky Rescue Disk 10 For those infections that totally cripple Windows to the point where it is unresponsive or the virus takes over your screen. Burn this to a CD or follow the instructions to put it on a USB flash drive and restart your computer. On a Dell computer start tapping F12 to get to the Boot Menu where you can select the CD\USB that Kaspersky is on. Depending on your model of computer it may be a different button to get to the boot options. When Kaspersky first starts select the Graphical Mode, and once it loads to the Desktop update the software first before running a full scan.

Repair

 

Hopefully at this point your computer is responsive and the virus has been disabled, loosening the paralyzing grip it had on Windows. Here are 2 other optional things to try if something isn’t quite right.

  • System Restore – Windows periodically takes a snapshot of important system files. That way if an update fails or a software installation goes wrong you can flash back to the snapshot. This can be useful to go back to a point in time before the virus when the computer was functional.
  • Re-create The User Profile – First log into a different profile with administrative privileges. For WORKGROUP computers in most homes and some small businesses, go to C:\Users and find the profile you normally use and rename it. i.e. From C:\Users\name to C:\Users\name.old.  For computers on a DOMAIN follow these instructions. After you complete these steps you will have to log back into your original profile and copy\merge the Desktop, My Documents, Outlook Files, My Pictures, etc. over from the .old folder you renamed to the new folder that matches the username. You may also have to setup e-mail again, add any archives\personal folders, and re-install some software or printers.

Now you will want to remove any leftover unwanted software, toolbars or add-ons –

  1. Within the Control Panel go to Programs and Features and examine the list of applications on your computer. It may be a lengthy list of some items you recognize and others you are not quite sure about.
  2. Adwcleaner will help to get rid of most unwanted items. First you click Scan and once the scan is complete it gives you an opportunity to go through each tab and uncheck anything you want to keep. The you click Clean and it will prompt to restart the computer to complete cleanup and then generate a log file once the restart is complete.
  3. Should I Remove It? is a website you can search and also a program you can install to scan your computer and give you ratings and information about programs to help decide whether or not to keep it.
  4. If any program gives you a problem trying to un-install it, you can use this Microsoft Fixit tool that may be able to remove it.
  5. Change your homepage back to your own selection within each web browser, also disable and remove any unwanted extensions or add-ons. Change the search engine back to one of your choice. If something still isn’t right with your web browser such as freezing or crashing, reset your web browser back to default settings. Links to reset Internet Explorer, Firefox, and Google Chrome.

If you are having problems with Windows related services and features being disabled or non-functional –

  • ESET services repair is a quick and easy tool that can help with fixing broken services such as Windows Update, and Windows Firewall.
  • Windows Repair All In One is a comprehensive tool to repair damage from Malware. The Backup tab is useful to create a registry backup or System Restore point before going to the Start Repairs tab. You also have the option to unhide files that may have been hidden.
  • Using a search engine such as google.com to search for articles on the error code you are receiving. Websites that allow proposed solutions to be rated and commented on are helpful to sort through what works and what doesn’t.
  • System File Checker can be used to verify Windows files are in good shape, otherwise SFC will replace them with a good copy.
  • Running Check Disk from the command prompt will reboot your computer to scan the hard drive for errors. chkdsk /F is a good place to start. Chkdsk relies on the autochk.exe file to function so if you run chkdsk and your computer doesn’t run a scan during reboot there is a good chance you might have to first repair it with System File Checker.

Finally it would be good to check if these items are functional and up-to-date: Security\Anti-virus software, Windows Updates, and other applications that may be targeted by exploits.

  • If you need to install anti-virus software you can read through Dennis Technology Labs’ reports on Anti-virus protection. Avast! and AVG are a few options appearing on this list that are effective and free.
  • Based on this Kaspersky Security Bulletin the top applications exploited by cyber criminals include Oracle Java, Windows components, Adobe Acrobat\Reader\Flash Player, Internet Explorer, and Microsoft Office and therefore should have top consideration for being updated. However if you work with this computer you may want to consult with your IT Department before updating these items to confirm any specialized software you use to do your job will still be compatible with these updated versions.

 

 Final Thoughts

 

Cleaning your computer of malware is a process that requires time and patience. Depending on your situation and available resources sometimes it is just faster to re-format or factory reset your machine, restore files and folders from backup, and re-install software with any serial # key if required. If you can’t find your documentation containing the serial # keys, Belarc Advisor can run a scan and generate a web report of information about your computer, including a section called Software Licenses with a list of keys.

Going forward just know that with the Internet, there is always a catch. “Free” software will always try and include a bunch of optional software that you will want to read though and most likely uncheck or opt out of. Websites will want to mislead and offer software or updates that you do not need. Your e-mail address and personal contact information will be requested in order to access information. Sometimes giving up this information is not necessary and there may be other better sites that let you readily access information. You may get an e-mail with an attachment from someone you do not know, and it is ok to not open the attachment and delete the e-mail or mark it as spam if there is no other way to contact this person to verify their identity or intent. Showing restraint when encountering different requests to install or make changes on your computer can help prevent infections in the future, and keep you productive.

 

2 Comments:

  1. Hello There. I found your blog using msn. This is an extremely well written article.

    I will make sure to bookmark it and come back to read more of your useful information. Thanks for the post.

    I will definitely comeback.

  2. Wow, this paragraph is nice, my younger sister is analyzing these things, thus I am going to convey her.

Leave a Reply

Your email address will not be published. Required fields are marked *